Two Russian cybercrime groups have been exploiting a high-severity zero-day in the widely used WinRAR file compressor, cybersecurity firm ESET has found.
Researchers first spotted the attacks on July 18th when its telemetry detected a file in an unusual directory path.
Nearly a week later, ESET concluded that the suspicious activity was linked to the exploitation of an unknown zero-day vulnerability in WinRAR, a utility for compressing files that has a user base of around 500 million.
The vulnerability, now being tracked as CVE-2025-8088, abused alternate data streams, a Windows feature that allows different ways of representing the same file path.
The exploit abused that feature to trigger a previously unknown path traversal flaw, causing WinRAR to plant malicious executables in attacker-chosen file paths %TEMP% and %LOCALAPPDATA%, which Windows normally makes off-limits because of their ability to execute code.
Essentially, the attacks backdoor computers that actually open malicious archives attached to phishing messages, some of which are personalized.
According to ESET telemetry, such archives were used in spearphishing campaigns from July 18th to 21st, 2025, targeting financial, manufacturing, defense, and logistics companies in Europe and Canada.
The vulnerability was exploited in the form of job application documents. In all cases, the attackers sent a CV hoping that a curious target would open it. ESET said none of the targets were compromised.
The cybersecurity firm has determined that the attacks came from RomCom, its tracking designation for a financially motivated crime group operating out of Russia. The group is also known as Storm-0978, Tropical Scorpius, or UNC2596.
By exploiting a previously unknown zero-day vulnerability in WinRAR, the RomCom group has shown that it is willing to invest serious effort and resources into its cyberoperations,”
ESET.
“This is at least the third time that RomCom has been caught exploiting a significant zero-day vulnerability in the wild,” said ESET.
Previous examples include the abuse of CVE-2023-36884 via Microsoft Word in June 2023, and the combined vulnerabilities assigned CVE‑2024‑9680 chained with another previously unknown vulnerability in Windows, CVE‑2024‑49039.
“By exploiting a previously unknown zero-day vulnerability in WinRAR, the RomCom group has shown that it is willing to invest serious effort and resources into its cyberoperations,” ESET’s Anton Cherepanov, Peter Strýček, and Damien Schaeffer wrote.
RomCom wasn’t the only group exploiting CVE-2025-8088, by the way. According to the Russian security firm Bi.ZONE, the same vulnerability was being actively exploited by a group it tracks as Paper Werewolf.
It’s unclear whether the two Russian cybercrime groups are connected. Either way, ESET said that it notified WinRAR developers of their findings, and a fix was released a few days later
It’s not the first time WinRAR vulnerabilities have been exploited to spread malware, so the problem is not going away.
WinRAR is almost a perfect vehicle for spreading malware because it has no automated mechanism for installing new updates – users must actively download and install patches on their own. Users should stay away from WinRAR versions prior to the current one, 7.13.
Your email address will not be published. Required fields are markedmarked